Capital markets regulator Sebi on Thursday tweaked the cyber security and cyber resilience framework for asset management companies (AMCs) and mandated them to conduct a comprehensive cyber audit at least twice in a financial year.
Along with the cyber audit reports, AMCs have been asked to submit to stock exchanges and depositories a declaration from the MD and CEO, certifying compliance by them with all Sebi guidelines and advisories related to cyber security issued from time to time, according to a circular.
The new framework will come into force from July 15.
Under the modified framework, the asset management firms need to identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management.
Further, business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data, among others, should all be considered critical assets.
All auxiliary systems that connect to or communicate with critical systems, whether for operations or maintenance, must be designated as critical systems as well.
The board of AMC is required to approve the list of critical systems.
“To this end, Mutual funds/ AMCs shall maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows,” Sebi said.
According to Sebi, they must conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that include critical assets and infrastructure components in order to detect security vulnerabilities in the IT environment and an in-depth evaluation of the security posture of the system through simulations of real attacks on their systems and networks.
AMCs are required to conduct VAPT at least once in a financial year. However, for the mutual funds/ AMCs, whose systems have been identified as “protected system” by National Critical Information Infrastructure Protection Centre (NCIIPC) need to conduct VAPT at least twice in a financial year.
Further, they are required to engage only CERT-In (Indian Computer Emergency Response Team) empanelled organisations for conducting VAPT.
Within a month from the completion of the VAPT, the final report must be submitted to Sebi with the approval of the technology committee of respective AMCs.
“Any gaps/vulnerabilities detected shall be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to the stock exchanges/depositories within three months post the submission of final VAPT report,” the regulator said.
Earlier, the regulator came out with a modified cyber security and cyber resilience framework for stock brokers and depository participants, market infrastructure institutions — stock exchanges, depository and clearing corporations — and KYC registration agencies (KRAs).